I am entering any password but I am getting successful logins. I am confused.
php code:
// LOGIN USER
// variable declaration
$email = "";
$mobile = "";
$under_userid = "";
$errors = array();
$_SESSION['success'] = "";
require('php-includes/connect.php');
session_start();
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
}
please help me
You are not checked here if username and password are correct or not.
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
Please correct it using if condition is there any field match with that username or password as below
if(count($mysqli_query)>0)
{
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
You are getting login successful because there is no script which can track that provided password is in-correct or correct. So you need to add following if-statement for checking it,
if(mysqli_num_rows($mysqli_query) > 0){
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
mysqli_num_rows() will get the rows of match data from database and if there is row the if-statement will be true and then you will only get successful login. Other wise it will be fail and you can show error to user.
Related
please help my login is successfully done but after login logout automatically I am beginner please help me. please check attached images.
Access Denied Image
Login success image
login.php
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
}
Checklogin.php
<?php
session_start();
if(isset($_SESSION['id']) && $_SESSION['login_type']=='user'){
}
else{
echo '<script>alert("Access denied");window.location.assign("index.php");</script>';
}
?>
You are missing session_start() in login.php page
session_start();
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
}
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM register WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
}
$qry = "SELECT * from register";
$result = mysqli_query($qry);
$row = mysqli_fetch_array($result);
$id = $row[0];
if (mysqli_num_rows($results) == 1) {
//here i want to change session from username to id
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
?>
This code is also working but i want to replace the username session to id session. Please help me how i get replace it by id.
Here i want to set session as id from username. so please help me how i have to get the solution of my code.
Just copy this Code :
replace your code
$_SESSION['username'] = $username;
to
$_SESSION['id'] = $username;
look like :
if (mysqli_num_rows($results) == 1) {
//here i want to change session from username to id
$_SESSION['id'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
You can get the value like this, because we are get result into an array
$row = mysqli_fetch_array($result);
$id = $row[0];
Correct method is below
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM register WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
}
$qry = "SELECT * from register";
$result = mysqli_query($qry);
$row = mysqli_fetch_array($result);
// $id = $row[0];
$id = $row['id']; //this is the primary key
if (mysqli_num_rows($results) == 1) {
$_SESSION['id'] = $id;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
?>
Just set the $_SESSION['id'] = $id.
I have created a session of which a user is using email and password to log in, and the session is capturing his/her email, I want to use the email to fetch her other data like first name and last name, I tried to get it but due to my newbie I ended up getting error, here is my login code:
// LOGIN A USER INTO HIS/HER ACCOUNT
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE email='$email' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['email'] = $email;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong Email or Password combination");
}
}
}
and I figured it to be like the following code below:(which is not actually working)
if($result) {
if(mysqli_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$user = mysqli_fetch_assoc($result);
$_SESSION['id'] = $user['user_id'];
$_SESSION['email'] = $user['email'];
$_SESSION['first_name'] = $user['first_name'];
$_SESSION['last_name'] = $user['last_name'];
session_write_close();
header("location: user_index.php");
exit();
else {
$sql = "SELECT first_name FROM users WHERE email = '" .
$_SESSION['email'] . "'";
$result = mysqli_query($sql);
$user = mysqli_fetch_array($result);
echo "Hello, " . $user['first_name']";
}
I found this way to be working, thank you all who tried to help
<?php
include'db.php';
if(isset($_SESSION['email'])){
$query = "SELECT first_name FROM users WHERE email= '".$_SESSION['email']."'";
$result = mysqli_query($db, $query) or
die(mysql_error($db));
if (!$result) die('Query failed: ' . mysqli_error($db));
while($row = mysqli_fetch_array($result)){
echo $row['first_name'];
}
}
?>
I have this registration form that a user fills out and it sends to another page that adds the information in my database. Is there a way that after the person registers I can send the username and password to the sign-in page and it logs them in automatically?
this is the code that adds into my database after a user has registered:
require "connection.php";
session_start();
if ($_POST['firstname'] != "" && $_POST['lastname'] !="" && $_POST['email'] != "" && $_POST['username'] !="" && $_POST['password'] !="")
{
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$username = $_POST['username'];
$query1="SELECT * FROM users WHERE username = '$username' ";
$username = mysqli_real_escape_string($conn,$username);
$password = mysqli_real_escape_string($conn,$password);
$firstname = mysqli_real_escape_string($conn,$firstname);
$lastname = mysqli_real_escape_string($conn,$lastname);
$email = mysqli_real_escape_string($conn,$email);
$result = mysqli_query($conn,$query1)
or die(mysqli_error($conn));
if(mysqli_num_rows($result) != 0)
{
$_SESSION['er_firstname'] = $firstname;
$_SESSION['er_lastname'] = $lastname;
$_SESSION['er_email'] = $email;
header("Location: index.php/?a=1");
}
else {
unset($_SESSION['er_firstname']);
unset($_SESSION['er_lastname']);
unset($_SESSION['er_email']);
$query = "INSERT INTO users (firstname, lastname, password, username) VALUES ('$firstname','$lastname','$email','$password', '$username')";
$data = mysqli_query($conn,$query)or die(mysqli_error($conn));
header("Location: index.php/?a=2");
}
}
?>
And this is my login code that when I user normally enters there username and password to log in:
<?php
session_start();
$username = $_POST['username']; //either username or email
$password = $_POST['password'];
if($username=="" || $password == "")
{
header("Location: index.php");
}
require "connection.php";
if(!empty($username) && !empty($password)) {
$username = mysqli_real_escape_string($conn,$username);
$password = mysqli_real_escape_string($conn,$password);
$query = "SELECT * FROM users WHERE username = '$username' OR email = '$username' AND password = '$password'";
$data = mysqli_query($conn,$query);
if($data) {
if (mysqli_num_rows($data) == 1 ) {
$row = mysqli_fetch_assoc($data);
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
header("Location: http://home");
}
else {
header("Location: index.php/?i=1");
exit();
} }
else {
die("Query failed");
}
}
else {
$_SESSION['message'] = "Please enter a email and password";
header("Location: index.php");
exit();
}
So is there a way to send add.php to login.php, I tried switching the add.php header location to login.php but it didnt work.
You could bypass the entire login screen. You can just apply login logic into your registration processing.
This would involve adding three lines of code by the looks of it.
$_SESSION['id'] = mysqli_insert_id($conn);
$_SESSION['username'] = $row['username'];
header("Location: http://home");
during registration, the user's password is saved in the database as an encrypted BCRYPT password.
My question is: Why can't I verify the encrypted database password with the entered password?
CODE:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY DECLARED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
?>
I'm receiving an error that says 'account does not exist' even when I enter valid information.
Thanks,
-Eugene
EDIT CHANGED TO THIS:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if($veri_password === true){
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY ESTABLISHED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
}
?>
change to:
$sql = "SELECT id, username FROM users WHERE email='$email'";
Also change:
$veri_password = password_verify($password, $user_pass);
to
if(!password_verify($password, $user_pass)){
echo 'invalid password';
exit;
}
anyway, your code is vulnerable to sql injection. please consider using prepared statements in your queries or escape input strings with mysql_real_escape_string. . And also it is recommended to use mysqli or pdo instead of procedural methods